[stunnel-users] basic usage question

Flo Rance trourance at gmail.com
Mon Mar 19 10:23:41 CET 2018


Hi Mark,

Great, I'm glad you've solved it.

Regards,
Flo Rance

On Sat, Mar 17, 2018 at 12:14 AM, Mark Foley <mfoley at novatec-inc.com> wrote:

> Solved! I've fixed up the various ports and now I am able to connect.  For
> the
> edification of other list readers I'll summarize.
>
> I have a local Linux host acting as firewall/router.  It routes requests
> on port
> 1234 to port 3389 on a local Linux workstation which is running x11vnc
> server
> listening on its local port 5900.  I want to connect to this VNC server
> from a
> remote vnc viewer.
>
> (Why does the router forward to port 3389? Because the workstaion can
> dual-boot
> Windows, so the forward works regardless of booted OS.)
>
>
> Remote vnc viewer, stunnel client stunnel.conf:
>
> verify = 2
> pid = /home/mfoley/.stunnel/stunnel.pid
> CAfile = /home/mfoley/.stunnel/certificate.pem
> client = yes
> [x11vnc]
> accept = 5900
> connect = router.obfuscate.org:1234
>
>
> Local workstation vnc server, stunnel server stunnel.conf:
>
> pid = /var/run/stunnel.pid
> debug = 7
> [x11vnc]
> accept = 3389
> key = /root/privatekey.pem
> cert = /root/certificate.pem
> connect = 127.0.0.1:5900
>
>
> The certificate is self-signed and created on the stunnel/vnc server host
> using
> the following commands:
>
> openssl genrsa -out privatekey.pem 2048
> openssl req -new -x509 -days 365 -key privatekey.pem -out certificate.pem
>
> The certificate.pem is copied to the stunnel client host.
>
> With x11vnc listening on 5900 on the local workstation and with 'stunnel
> stunnel.conf' running on both stunnel client (as the normal user) and
> server
> hosts, I use the remote vnc viewer, logged in as a normal user, with the
> connection 127.0.0.1:5900
>
> I'm guessing I could configure my vnc viewers to connect to multiple
> clients with
> difference [service] sections, for example:
>
> verify = 2
> pid = /home/mfoley/.stunnel/stunnel.pid
> CAfile = /home/mfoley/.stunnel/certificate.pem
> client = yes
>
> [remoteHost1]
> accept = 5900
> connect = router.obfuscate.org:1234
>
> [remoteHost2]
> accept = 5901
> connect = router.obfuscate.org:4321
>
> I haven't tried that, but I will.
>
> I futher guess that I could have different CAfiles per server if I moved
> that
> directive to the respective service defintions (can someone confirm?), but
> I
> haven't tried that either.
>
> Thanks especially to Flo Rance for helping me work through this.
>
> Now, I have to figure out how to do this from a Windows client!
>
> --Mark
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180319/7770ea0e/attachment-0001.html>


More information about the stunnel-users mailing list